- Issue created by @larowlan
- Merge request !11138Ensure that labels used in config translation are escaped β (Open) created by akalata
- πΊπΈUnited States greggles Denver, Colorado, USA
The title is SSRF (server side request forgery) which I understand to mean a request from the server to other machines on the server's network as described in portswigger and owasp.
The description includes:
The vulnerability allows one Drupal user with administrative permissions to create a page which can force another Drupal user to make a call to a server under the control of an attacker.
and
The browser will make a call to the malicious server
That is not a server-side request.
I can see how this would let an admin gain data about the site visitors, which is not ideal, but on most sites an admin who can enter translations can probably already make other changes to a site that would also gain information about a visitor.
I'm surprised if this is the only place where a user with only the ability to translate could insert an image. I think other strings are similarly not filtered.
- πΊπΈUnited States smustgrave
Seems the test-only failure is passing when would expect to fail so think that needs tweaking https://git.drupalcode.org/issue/drupal-3440399/-/jobs/4273224
- Assigned to akalata
- Status changed to Needs work
about 1 month ago 5:23pm 18 May 2025 - First commit to issue fork.
- π«π·France prudloff Lille
I adjusted the test to fail without the fix.
- π¨πSwitzerland berdir Switzerland
this does a strip tags, that seems wrong and the escape then is pointless?
if the source config has some HTML, you want to see that as the translation needs the same.
It should just escape and should then also assert the escaped markup
- π«π·France prudloff Lille
I removed the strip_tags() call, I think it was added in order to not break ConfigTranslationUiModulesTest.
And I added an assertion with the escaped string (it needs to be precise because other parts of the page already contain the escaped payload in other places).
